Modified File Tracking on Virtual Machines

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of: identifying one or more positions in a physical memory associated with a virtual machine; detecting a write operation to at least one of the one or more positions; tracking the write operation in a cluster map that holds information about one or more modified clusters of the physical memory; converting the one or more modified clusters of the physical memory to a set of modified files for a file system of the virtual machine using per-file occupation information provided by the file system; identifying at least one file on the virtual machine from the set of modified files for the file system; receiving an on-access request for the virtual machine; and scanning the virtual machine prior to access to the virtual machine using the physical memory independently of any specific application programming interfaces (APIs) for the virtualization technology, wherein scanning includes performing a scan of the at least one file at the file level with a facility independent of a virtualization capability used to manage the virtual machine, and wherein scanning includes using the set of modified files to limit a scan to a portion of the physical memory containing the at least one file.

2. The computer program product of claim 1 wherein the at least one file includes an operating system file.

3. The computer program product of claim 1 wherein the at least one file includes a plurality of files.

4. The computer program product of claim 1 wherein the scan evaluates whether the at least one file includes data corrupted by malicious code.

5. The computer program product of claim 1 wherein the scan evaluates whether the at least one file includes malicious code.

6. The computer program product of claim 1 wherein the scan evaluates the at least one file for a presence of confidential data.

7. The computer program product of claim 1 wherein detecting the write operation includes detecting the write operation within the virtual machine.

8. The computer program product of claim 1 wherein detecting the write operation includes detecting the write operation to a memory location of the physical memory independent from the virtual machine.

9. The computer program product of claim 1 wherein the physical memory includes a disk drive.

10. The computer program product of claim 1 wherein the at least one file includes program data.

11. The computer program product of claim 1 wherein the at least one file includes an executable file.

12. The computer program product of claim 1 wherein the at least one file includes interpretable content.

13. The computer program product of claim 1 wherein the cluster map is tamper proof.

14. The computer program product of claim 1 wherein the at least one file is within the virtual machine.

15. The computer program product of claim 1 wherein the at least one file is outside the virtual machine.

16. The computer program product of claim 1 further comprising code that performs the steps of performing a full scan of the virtual machine and marking every cluster of the cluster map as clean.

17. The computer program product of claim 1 further comprising code that performs the step of performing a remedial action on the at least one file.

18. The computer program product of claim 1 wherein the cluster map resides on a server hosting a security policy for an enterprise, the cluster map being copied for one or more copies of the virtual machine within the enterprise.